7
eEye Digital Security EEREAP Differences from current solutions –Emulates machine code at each candidate address to see if it will reach payload –EEREAP doesn't search for byte sequences – it actually emulates at each address to see if that code can get execution to a specified target Exhaustive Return Address Discovery using Machine Code Emulation

8
eEye Digital Security EEREAP Continued Benefits of this approach –Finds more than simple instructions –Potentially every viable path will be uncovered –More possible addresses to match across various revisions of victim code – more universal or ASCII return addresses? Exhaustive Return Address Discovery using Machine Code Emulation

9
eEye Digital Security EEREAP Concluded The execution flow beginning when a candidate address is loaded is the real- world determinant of its effectiveness. Emulating at each candidate is a theoretically-ideal solution, limited only by the amount of context information and engine capabilities. Exhaustive Return Address Discovery using Machine Code Emulation

10
eEye Digital Security How It Works Welcome to the EEREAP Magical Mystery Tour

11
eEye Digital Security Overview EEREAP is an Intel 32-bit machine code emulation engine that supports nondeterminism (undefined values) and abstract address spaces Accepts a state and emulates at each candidate address to determine which will cause execution to reach a target memory region

12
eEye Digital Security EEREAP – State A path from the registers to a target buffer must exist Requires user observation to construct If there is a way from the initial state to the target buffer, EEREAP is designed to find it State is given as a process memory snapshot and a context stating any available information on registers and memory contents.

13
eEye Digital Security EEREAP – Memory Regions Memory regions are expressed abstractly because their locations shift between instances of a vulnerable process Example: ESP EDI (pointer to payload in heap) Run 1:0012FEC4 025470A8 Run 2:0032FEC4 0252F308 Run 3:0022FEC4 025206A0 Stack and heap block are both identifiable memory regions whose addresses shift between runs, due to the dynamic nature of thread creation and heap memory allocation.

15
eEye Digital Security EEREAP – Context 2 Memory regions must be given a size, and can be defined with certain attributes as appropriate Size is usually just a guess, because an exact size often cannot be determined Attributes: –Read-Only – emulation fails on write access; useful for protecting payload –Target – region contains a payload; emulation ends successfully for return address candidate if execution reaches it

16
eEye Digital Security EEREAP – Context 3 Memory regions can be mapped by specifying that one region starts at a relative offset within another For instance, a target buffer could be located in the stack, or a data area could be assigned a virtual address On dereference, attributes of all regions overlapping at address apply

18
eEye Digital Security EEREAP – Emulation For each return address candidate, emulation is started fresh: –EIP points to that address –Other registers and memory are initialized according to the context These runs will be referred to as emulation threads, although only one is really performed at a time

19
eEye Digital Security EEREAP – Emulation 2 Arithmetic attempts to preserve the destination as a pointer (if possible), then as an integer Takes unknown bits into account, erring on the side of nondeterminism EFLAGS are also modified and may be partially undefined Each instruction is emulated as faithfully as possible…

21
eEye Digital Security EEREAP – Emulation 4 An instruction execution countdown is used to prevent infinite loops If a Jcc or LOOPcc is reached with EFLAGS/ECX undefined, we follow both possible execution paths –Parent succeeds if both children threads reach a target buffer –Each child gets a copy of parent's context with the instruction countdown halved Loops and Branches

22
eEye Digital Security EEREAP – Emulation 5 Success! If an emulation thread (or both of its children, if it forked) reaches a memory region marked as Target, the return address candidate at which it started is considered a success and is logged.

23
eEye Digital Security How to Use It / Demonstration Dont Fear the EEREAPer

24
eEye Digital Security EEREAP – How-To Crash the target process using the vulnerability to be exploited –Should put the process as close as possible to the state that will be in effect when execution is hijacked –e.g., a finished exploit with an invalid return address (0x41414141, anyone?) –Process should definitely have a debugger on it with first-chance exceptions caught

26
eEye Digital Security EEREAP – How-To 3 Create the context –Study the environment at crash time: consistent pointers and integers; memory regions of interest –Reverse engineer as desired –Context and snapshot are both specific to one version of the vulnerable process